[Bro] Error with a custom protocol decoder which returns an event with record type object
Emmanuel TORQUATO
Emmanuel.TORQUATO at monext.net
Mon Mar 9 06:09:47 PDT 2015
Hello everyone,
I am working on a banking protocol decoder and try to generate an event that return an object of type record. I assume the protocol decoding is ok because it works when I raise an event with a Val (count, or string) object.
When I change the events.bif, the analyzer.pac for returning an event with a record object type, I have a core dump in Bro. The error is that CBCOM::Message type is unknown in file /opt/bro-2.3.2/share/bro/base/bif/plugins/Bro_CBCOM.events.bif.bro
This type has been declared in the "events.bif" file
I have followed the things done for radius protocol decoder under src/analyzer/protocol/radius in bro source files.
· Cbcom-protocol.pac:
type CBCOM_PDU(is_orig: bool) = record {
msg_length: uint32;
pgi: uint8[1];
lgi: uint8;
zp: CBCOM_TLV[] &length = lgi, &until($input.length() == 0);
apdu: case apdudata of {
0 -> none: empty;
default -> cb2a: CBCOM_APDU;
};
} &let{ apdudata: int = msg_length - lgi - 2; } &byteorder=bigendian;
type CBCOM_TLV = record {
ti: uint8 &check(pi == 0x01 || pi == 0x05 || pi == 0x06 || pi == 0x07 || pi == 0x08 || pi == 0x0f || pi == 0x10 || pi == 0x11 || pi == 0x12 || pi == 0x19);
li: uint8;
vi: uint8[li];
} &byteorder=bigendian;
.....
· Cbcom-analyzer.pac generate event with result (record type):
....
function proc_cbcom_message(msg: CBCOM_PDU): bool
%{
RecordVal* result = new RecordVal(BifType::Record::CBCOM::Message);
result->Assign(0, new Val(${msg.msg_length}, TYPE_COUNT));
uint length = ${msg.pgi}->size();
char buf[length];
for ( uint i = 0; i < length; ++i ) {
buf[i] = ${msg.pgi[i]};
}
result->Assign(1, string_to_val(get_hex_tostring(buf, length, true)));
result->Assign(2, new Val(${msg.lgi}, TYPE_COUNT));
if ( ${msg.zp}->size() )
{
TableVal* zp = new TableVal(BifType::Table::CBCOM::Zp);
for ( uint i = 0; i < ${msg.zp}->size(); ++i ) {
Val* index = new Val(${msg.zp[i].ti}, TYPE_COUNT);
Val* current = zp->Lookup(index);
uint length2 = ${msg.zp[i].vi}->size();
char char_vi[length2];
for ( uint j = 0; j < length2; ++j ) {
char_vi[j] = ${msg.zp[i].vi[j]};
}
Val* val = string_to_val(get_hex_tostring(char_vi, length2, true));
if ( current )
{
VectorVal* vcurrent = current->AsVectorVal();
vcurrent->Assign(vcurrent->Size(), val);
}
else
{
VectorVal* parametres = new VectorVal(BifType::Vector::CBCOM::Parametres);
parametres->Assign((unsigned int)0, val);
zp->Assign(index, parametres);
}
Unref(index);
}
result->Assign(3, zp);
}
BifEvent::generate_cbcom_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
return true;
.....
· event.bif with bro event with result as type record:
event cbcom_message%(c: connection, result: CBCOM::Message%);
event cbcom_apdu%(c: connection, itm: string%);
event cbcom_pan%(c: connection, pan: string%);
type CBCOM::Parametres: vector;
type CBCOM::Zp: table;
type CBCOM::Message: record;
Anyone who has an idea or who has worked on the radius decoder could help me ?
Thanks !
Cordialement,
[cid:image001.jpg at 01D05A6F.BCA36940]
T. +33 4 42 25 15 51
emmanuel.torquato at monext.net<mailto:emmanuel.torquato at monext.net>
www.monext.net<http://www.monext.net/>
[cid:image002.jpg at 01D05A6F.BCA36940]<http://b.miblink.fr/r/1384/a2e1eddb-580f-4b0a-b34a-2afcaa9b45ac> [cid:image003.jpg at 01D05A6F.BCA36940] <http://b.miblink.fr/r/1385/a1e0dec7-22b7-48a8-b4f1-6e4d623a036c>
P Merci de penser à l'environnement avant d'imprimer ce message.
Please consider the environment before printing this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150309/21cc3dd3/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4074 bytes
Desc: image001.jpg
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150309/21cc3dd3/attachment-0003.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 950 bytes
Desc: image002.jpg
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150309/21cc3dd3/attachment-0004.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 902 bytes
Desc: image003.jpg
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150309/21cc3dd3/attachment-0005.jpg
More information about the Bro
mailing list